Date: Wed, 14 Oct 2020 21:53:35 +0200 From: Arsenij Solovjev <xeper000@gmail.com> To: Ernie Luzar <luzar722@gmail.com> Cc: Kristof Provost <kp@freebsd.org>, freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface Message-ID: <CA%2BRQ_Ff-9xT5WMQdGZk37kR2fkP-5xkOiSRR-Vj45Z%2Bzb_7OeQ@mail.gmail.com> In-Reply-To: <5F8715ED.8020606@gmail.com> References: <CA%2BRQ_Fd7Z7ynky8iB5h=cV30oRk5mPw0Out-2c=RF_e-AZVo2A@mail.gmail.com> <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> <CA%2BRQ_Fc9HJhuJQe4wxpePe67R%2Be1XcCDBt9HjVHZA7RQfsOHzg@mail.gmail.com> <CCF31BD6-2335-4C5D-A230-9AA871466AD3@FreeBSD.org> <CA%2BRQ_FfvOCk0QEqNMHgaJ4qAE3G2L3c3p%2BH4gDg1rLyC5L-h5A@mail.gmail.com> <5F8715ED.8020606@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ernie, please consider the last block in my second email, that is the jail.conf for the non-dedicated interface. The host runs all "normal" IP networking on em0. On Wed, 14 Oct 2020 at 17:14, Ernie Luzar <luzar722@gmail.com> wrote: > Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 15:41, Kristof Provost <kp@freebsd.org> wrote: > > > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost <kp@freebsd.org> wrote: > >>> > >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>>>> Hi all! > >>>>> Does anybody know if it's possible to run a vnet jail on a > >>>>> non-dedicated > >>>>> interface? I have the Lucas book on jails. In it he says that for > >>>>> vnet > >>>>> you > >>>>> need to pick a dedicated interface, remove all networking IP > >>>>> configuration > >>>>> and only bring it up. Afterwards you set up jib and whatnot. > >>>>> > >>>>> All works well if I use a dedicated secondary interface (let's call > >>>>> it > >>>>> em1). If I use em0 however I cannot ping the jail. > >>>>> > >>>>> I would like to have a host with that has a single network interface > >>>>> which > >>>>> is used for both normal networking stuff as well as having the vnet > >>>>> jail > >>>>> run on it. > >>>>> > >>>>> Maybe I could create some sort of virtual interface and run vnet on > >>>>> it? > >>>>> > >>>>> Any ideas here? Thanks in advance! > >>>>> > >>>> Look at epair interfaces. > >>>> > >>>> You can put em0 and epair0a in a bridge together and add epair0b to > >>>> the > >>>> vnet jail. > >>>> That gets the vnet jail connected to your LAN. > >>>> > >>>> Or you can skip the bridge, assign an IP to epair0a and route between > >>>> the jail and your LAN. > >>>> > >>>> Regards, > >>>> Kristof > >>>> > >>> Hi Kristof, > >>> > >>> Thanks for your reply! > >>> > >>> considering your first idea. I did this, the jail gets created > >>> seemingly > >>> fine. However I cannot ping the ip of epair0b (this works when using a > >>> dedicated interface). > >>> Also I cannot reach my gateway from within the jail. This too works > >>> when > >>> using a dedicated interface. > >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". > >>> snip: > > >>> > >> This is odd. Are you assigning a new MAC address to the epair interfaces > >> somewhere? Both ends of the epair seem to have a new MAC address, and > >> the same one at that. > >> > >> Regards, > >> Kristof > >> > > > > Not explicitly, no, I let the jib script do the epair creation. > > > To Arsenij Solovjev > > For the record sure would like to see your jail.conf file where you > setup this non-dedicated vnet jail system. > > I believe a non-dedicated vnet jail is for local access only. Is that > correct? > > The bridge setup is for public internet access? Is that correct? > > > To Kristof Provost > > In your reply you said. > "Or you can skip the bridge, assign an IP to epair0a and route between > the jail and your LAN." > Please explain this statement. Route how? > > > > > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BRQ_Ff-9xT5WMQdGZk37kR2fkP-5xkOiSRR-Vj45Z%2Bzb_7OeQ>